I am using npm workspaces to manage a monorepo. I've noticed that the top-level package-lock.json includes a cached copy of each workspace's package.json, in its "package" field. How can I refresh these cached copies without also updating all dependency versions in package-lock.json?
So far, the best approach I've found is:
Delete the top-level package-lock.json.
Run npm i.
This works, but also updates all dependency versions in package-lock.json. I would prefer to avoid that, in case updating a dependency breaks something, and because this creates enormous git diffs for package-lock.json.
Non-solutions
Running npm update <workspace package name> does not work, at least if I have changed a workspace's package version number (No matching version found for <package name>#<new version>).
Same issue if I try npm i --package-lock-only as suggested here.
Motivation
package-lock.json is checked into my git monorepo, so I presume I need to update it like this each time I bump the workspace packages' versions.
I've also experienced a problem in the past where I updated the bin field in a workspace's package.json, but npm ci kept using the old version. That was fixed by refreshing package-lock.json, but again at the cost of updating all dependency versions.
you can write your own script for e.g.:
get the workspaces:
WORKSPACES=`jq -r '.workspaces | #sh' package.json | tr -d \\'`
then run a bash for loop:
for w in ${WORKSPACES[#]}; do echo \"$w\" && pushd . && cd $w && npm i && rm -rf node_modules; popd; done;"
so in pacakge.json you could combinging in a script:
"update": "WORKSPACES=`jq -r '.workspaces | #sh' package.json | tr -d \\'` && for w in ${WORKSPACES[#]}; do echo \"$w\" && pushd . && cd $w && npm i && rm -rf node_modules; popd; done;"
or something like that.
Hope it helps.
Use npm version command to update the version in both package.json and package-lock.json
npm version <version> --workspace=<package-name>
Related
**Package Current Wanted Latest Location **
#testing-library/user-event 13.5.0 13.5.0 14.4.3 node_modules/#testing-library/user-event
web-vitals 2.1.4 2.1.4 3.1.1 node_modules/web-vitals
depended by
ryan-mmbale
ryan-mmbale
I tried the following codes but did not work for me
rm -f package-lock.json
npm cache clean --force
Actually the command
rm -f package-lock.json
npm cache clean --force
are used to clear the npm cache and delete the package-lock.json file.It basically locks or you can say preserves the packages versions in your project, which is of no use to you I guess.
You can use the command
npm update
it basically checks all the versions of the packages which are present inside your package.json and updates all of them.
Additionally if you want to update any specific package you can use this command.
npm install #testing-library/user-event#14.4.3 web-vitals#3.1.1
The version after both the packages indicates the version of package which you want to install.
Happy Coding :)
I cloned a repository from github which has a package-lock.json (but no package.json). Then in a git bash terminal I go to the directory and run npm install but I just get a message saying there is no package.json and then everything in package-lock.json gets deleted so it's basically empty except for the project name and version.
I thought running npm install with a package-lock.json in the directory was enough to re-create node_modules, but am I seriously misunderstanding how this works? By the way I have node 8.12.0 and npm 6.4.1 and am running on Windows 10. Also, I think the package-lock.json was created on a unix system so could there be problems when using package-lock.json on a different OS?
I already tried running npm init just to get a package.json file and then running npm install but that still didn't get me a node_modules folder.
Starting from Mar 5, 2018, you can run npm ci to install packages from package-lock.json.
npm ci bypasses a package’s package.json to install modules from a
package’s lockfile.
https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
package-lock.json records the exact version and url of packages need to install, thus you can use npm to install them accordingly:
npm can install from urls that point to tarballs
--no-package-lock option to tell npm to not touch package-lock.json file
For example, to install all packages in package-lock.json:
cat package-lock.json | jq '.dependencies[].resolved' | xargs npm i --no-package-lock
jq is a command line tool to pares jq, you can write a simple JavaScript script to parse it instead (if you do not want to install jq or learn jq's query syntax).
AFAIK, the package-lock.json file relies on the presence of a package.json file, so you'll not be able to recreate your node_modules folder from the package-lock.json file alone (happy to be proved wrong here).
Therefore, your best bet is to (mis)use a module like auto-install that is capable of generating the package.json file based on a project's dependencies, as they appear in the files.
Install it globally (npm install -g auto-install), then you'll need to generate an empty package.json file for it to run (use npm init -y in your project root). Kick things off with the command auto-install and it should add the dependencies to the package.json file.
HTH
I just generated a new npm lockfile, package-lock.json, as part of my typical workflow. But I noticed that this time all of the integrity hashes have been changed from sha1 to sha512. What is happening here?
"chalk": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/chalk/-/chalk-2.0.1.tgz",
- "integrity": "sha1-ce5R+nvkyuwaY4OffmgtgTLTDK8=",
+ "integrity": "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==",
[…]
}
From what I can see, npm changed the integrity checksum from sha1 to sha512.
If your git changes are going from sha1 to sha512, you should do that update once and it will be good after that.
If someone else working with the codebase and sees a git change from sha512 down to sha1 (which is the issue I was having) you can fix it by running the following:
Discard the changes in git for package-lock.json
npm i -g npm
rm -rf node_modules/
npm i
This will update npm and reinstall all of your packages so that the new checksum (sha512) is present.
Building on what Dave answered. The fix i found was to do the following:
npm i -g npm
cd {working directory}
rm -rf node_modules/
rm package-lock.json
npm cache clear --force
npm i
We did this for all our developers at the same time and this stopped the sha-512 vs sha-1 issue which was causing frustrating merge conflicts.
See also https://github.com/npm/npm/issues/17749 which although claims the issue is 'fixed', it isn't. Removing node_modules is a workaround.
There may be a relationship with operating systems. We're hitting this right now with developers on Linux and Windows platforms.
As #Daniel Cumings I also had to remove the package-lock.json to get rid of the sha1 hashes. Here's the Windows CLI commands for reference, which does the same as Daniel's script:
npm i -g npm
rd /s /q "node_modules"
del package-lock.json
npm cache clear --force
npm i
I'm working in big team. Forcing every developer to force clean npm cache is difficult and not reliable. Also, this doesn't help every time. So, for anyone who still facing this npm issue (same as me) and nothing else helps – try this git based tool I've built recently: https://github.com/kopach/lockfix. It reverts sha512 -> sha1 integrity changes of npm's lock files. If you add this to your postshrinkwrap script of package.json - you should eventually get all integrity properties set to sha512 and have lock file consistent.
npm install --save-dev lockfix
"scripts": {
"postshrinkwrap": "lockfix",
},
You can resolve this issue by doing the below following changes:
Ensure npm version: 7.x or above
Create a .npmrc file
// .npmrc
lockfile-version=3
Remove your node_modules: rm -rf node_modules/
Remove existing package-lock.json: rm package-lock.json
Install npm packages: npm install
You can check the integration hash:
$ grep -o 'sha1' package-lock.json | wc -l
This most likely happened because you changed the node version you're using.
Newer version of npm use hash512.
In my case I work in a shared project and what happened is I ran a FRESH npm i with a newer version of npm which caused my package-lock file to be changed to use hash512. After that, I refreshed my branch, i.e git reset --hard && git pull, which brought to me a package-lock file with SHA1 checksums.
Because I still had my node_modules installed with a newer version of npm right after doing git pull I ran npm i which changed my package-lock file to use hash512.
The tl;dr is:
Make sure you're using the correct node version for the project, prefer using nvm use
rm -Rf node_modules && npm i (you MUST do rm -Rf node_modules, otherwise you will keep getting package-lock changes)
This should keep your project consistent
If you're using npm v5 or later, and you're seeing the integrity hashes changing from sha512 back to sha1, one way to remedy that without removing your package-lock.json is to do the following:
Remove all the sha1 integrity hashes from your package-lock.json (do not remove your package-lock.json); for example:
diff --git a/package-lock.json b/package-lock.json
index 6374e258..05f77ec8 100644
--- a/package-lock.json
+++ b/package-lock.json
## -56,12 +56,10 ##
"#babel/core": {
"version": "7.9.6",
"resolved": "https://registry.npmjs.org/#babel/core/-/core-7.9.6.tgz",
- "integrity": "sha1-X+QF1VU04G078GD4anmTXNpfZhU="
},
"#babel/parser": {
"version": "7.9.6",
"resolved": "https://registry.npmjs.org/npm-adobe-release/#babel/traverse/-/traverse-7.9.6.tgz",
- "integrity": "sha1-fGzlDyLGPvCJNpHXPZrCdGz7QSY="
},
Remove your node_modules: rm -rf node_modules
Clear the npm cache: npm cache clean --force
Install the packages: npm install
This should result in your package-lock.json updated with the sha512 integrity hashes.
In my case npm -g i npm was not enough, I had to modify PATH to point new npm at begining.
To check it without modification try /usr/local/bin/npm i instead of npm i.
Further building on previous comments and suggestions, for me I needed to wipe the existing node_modules folder, the cache, and then grab the sha512 package-lock.json file from git (which was committed from another computer), and finally do an npm i. Something like this:
npm i -g npm
rm -rf node_modules/
npm cache clear --force
git reset --hard
npm i
After this package-lock.json used sha512 and other changes stabilized.
I accidentally deleted my package-lock.json file. npm install is not generating a new one. How do I get npm to recreate this file.
There might be a file called .npmrc which can contain
package-lock=false
which will cause the package lock file to not be generated.
In theory you could also have turned on npm config set package-lock false globally (change to true to turn on again), but that's less likely to happen unintentionally.
The package-lock.json file was introduced in npm v5, so the steps you need to take to regenerate package-lock.json depend on which version of npm you're using.
FYI. Let's verify what version of node and npm.
npm -v
prints: x.x.x
node -v
prints: x.x.x
I believe for package-lock.json is auto-generated if the 2 conditions
npm version > 5.x.x and node version > 7.x.x are met
Then, try the following steps depending on which version you have:
npm v5+:
Regenerate the package-lock.json by running npm install. You may also regenerate the file without actually downloading dependencies by using npm install --package-lock-only
npm v4.x & earlier:
Generate a npm-shrinkwrap.json by running npm shrinkwrap. This file has the same format as package-lock.json and achieves essentially the same purpose in earlier versions of npm (see https://docs.npmjs.com/files/package-lock.json and https://docs.npmjs.com/files/shrinkwrap.json for detailed information on this point)
Rename the npm-shrinkwrap.json to package-lock.json
To resolve this issue I have tried below mentioned things and it worked for me :
Make sure your package-lock globally enabled, you can enable it using:
npm config set package-lock true
To make sure your .npmrc is not blocking the creation of package-lock file, set this to your .npmrc
echo 'package-lock=true' >> .npmrc
note: package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json for npm -v > 5.x.x.
check your npm version: npm -v
update your npm to latest version using:
npm install -g npm#latest
npm i -g npm-upgrade
#will
Make sure you are in the right folder in the command line (use pwd in Linux/macOS to get the current path you're in).
I've run npm install many times, just to find out later I was doing it in the wrong folder.
I was also facing the same issue
I just removed the package-lock=false from .npmrc and now it is creating the lock file
If your npm version is <5 you will have a shrinkwrap.json file created when running npm install.
Otherwise package-lock will be created on npm versions 5 and above.
I have a JavaScript project using npm to manage its dependencies. I'm trying to migrate to Yarn.
When I run yarn install in the console, it gives me an error:
An unexpected error occurred: "ENOENT: no such file or directory,
chmod C:\....\node_modules\.bin\esparse"
From what I read on the yarn docs, just running yarn install should be enough. Why doesn't this work as expected?
I am using Yarn 0.17.0, npm 2.14.12 and Node 4.2.4.
The following Solution worked for me
rm -rf node_modules **/node_modules
rm -rf yarn.lock **/yarn.lock
yarn cache clean
yarn install
This is a pretty old question, but with latest yarn for now (1.17.3) the same problem arises.
The solution which works for me, although more time consuming, is to delete yarn.lock file.
Please keep in mind that afterward, all libraries will get updated to the latest versions according to the rules you specified in package.json file
I had a similar issue which was resolved by running the following commands:
npm install yarn -g --force
yarn --c
rm package-lock.json
rm yarn-lock.json
yarn install